Cyber awareness: how do you rise to the challenge?

WHY IT IS NECESSARY TO RAISE AWARENESS cyber

The ANSSI’s IT hygiene guide reminds us of the extent to which raising awareness helps to establish and maintain a good level of security:

‘Every user is a link in the information systems chain. As such, as soon as they join the entity, they must be informed of the security issues, the rules to be respected and the correct behaviour to adopt in terms of information systems security, through awareness-raising and training initiatives’.

Raising awareness of the basic rules is all the more essential given that practices are evolving in the direction of greater exposure of companies to threats of all kinds (source: CLUSIF MIPS study, 2020 edition):

• 36% of companies allow external access to their IS from uncontrolled workstations (cybercafés, personal workstations);
• 70% allow staff access via personal tablets or smartphones (BYOD);
• 71% admit to using external instant messaging services (Skype, Messenger, etc.);
• 70% authorise the use of external social networks (Facebook, LinkedIn, etc.).

The employees of any company are therefore all liable, inadvertently or through ignorance, to generate vulnerabilities, with an endless list of bad practices:

• passwords that are too simple or written down on a piece of paper ;
• disclosure of sensitive information on social networks;
• using a laptop without a privacy screen when travelling by train…

WHY IT’S DIFFICULT TO RAISE AWARENESS OF CYBER RISKS

The first reason is organisational. Since the CISO’s job is cross-functional, cybersecurity awareness programmes cannot take up all their working time. According to the 2020 edition of CLUSIF’s study on ‘IT threats and security practices in France’, this mission accounts for only 14% of the CISO’s day-to-day work. The CISO is therefore faced with a time issue, to which budgetary constraints are sometimes added. But beyond these considerations, the real challenge for CISOs when it comes to raising awareness is to deal with the human factor.

• Employee attitudes

There are those who think they already know everything, those who don’t feel concerned by cybersecurity, and even those who refuse to follow instructions out of reluctance to change… faced with the variety of these behaviours and the irritation they can generate, it’s not always easy for the CISO to keep calm and motivated!

• The posture of the CISO

Raising awareness is like setting up an advertising campaign: you have to identify your targets, find the right message for each of them, and then choose the right channels. However, CISOs still have a predominantly technical profile, which is why they may be confronted with their own personal difficulties (shyness, doubts about their creative potential, etc.).

As a CISO, how do you structure your cyber awareness?

Cyber awareness, like many projects involving change management, is a question of small steps, but also of effectiveness: whatever the organisation put in place and the budgets allocated, it will only work if users feel involved and responsible! To achieve this, CISOs have a number of levers to activate. Find support

• Top management

As part of the dialogue that they establish with their management, every CISO necessarily addresses the issue of cyber awareness.

The Executive Committee doesn’t seem to be too keen on the subject? It’s up to the CISO to come up with a ruse! Faced with the budgetary argument, it’s up to him to organise workshops or speeches at a lower cost.

Does the Executive Committee doubt the value of the proposed actions? No problem: the CISO can start his awareness-raising work by trapping managers (by sending them a USB key, for example), and showing them by example what can happen when people are not careful.

• The communications department

How can a message on cyber security be made accessible, or even fun? What formats should be used? By talking to the communications department, CISOs have every chance of obtaining creative and technical assistance.

The icing on the cake is that this collaboration is also an opportunity to make the department aware of the risks to which some of its service practices expose the company (such as using the services of web agencies without informing the IT Department, for example).

• The HR department

Cybersecurity is still very much presented as a constraint, most often in the form of an IT charter that employees have to sign when they are recruited. However, many employees, even if they are aware that they have committed themselves to respecting the rules, tend to forget them very quickly… HR is therefore a valuable ally for the CISO, who can call on them throughout the employee’s career.

• Security champions, or early adopters

Which managers are the most receptive to talks about cyber security? Who are the good students in the teams? The CISO absolutely must identify them, because these ‘champions’ will play a part in the mission of evangelisation, by ensuring that messages and good practices are spread.

As in marketing, the individuals who are the first to adopt a new trend succeed in drawing the silent majority, made up of people with a more ‘follower’ temperament, into their wake… until the movement finally reaches the most resistant!

Use existing resources An action of security awareness does not need to be expensive to be effective. Faced with a lack of resources (and even time), CISOs should not hesitate to use already existing means of awareness-raising, or to graft their actions onto actions undertaken by other services: here are two examples.

• Video campaigns: on YouTube, the public interest group ACYMA (Actions Against Maliciousness) offers free awareness videos on essential subjects (using a password that is too simple, closing security vulnerabilities by carrying out updates, phishing…)
• Goodies: the company plans to distribute mouse pads, calendars or pens? Here are inexpensive supports that the CISO can use to convey brief messages, and that employees will keep in front of them all day.

Focus on what works! The failure of cyber awareness campaigns is often due to the lack of relevance of the chosen means of communication. The CISO must therefore sort among the supports and channels at his disposal, using the following reading grid.

• ^1st level: simple, top-down information, by email, newsletter, conference or display. These means are not always effective: due to lack of stimulation, employees tend not to retain the message…or even not to listen to it or read it.

• ^2nd level: information with a little more staging, for example with educational videos. More accessible than written content and more engaging, this format can make it easy to disseminate messages on a regular basis (for example, by playing videos on screens in the break room) and makes a greater impact.

• ^3rd level: experimentation, with practices such as sending a trapped file, so as to then be able to explain to employees how opening it can be dangerous for the entire IS. This level also corresponds to “shock” operations, such as hacking phones with an SMS during a convention. Whatever the stratagem used, the beneficial effect remains the same: employees feel concerned after having had the experience and thus more easily remember the good practice to adopt.

• ^4th level: gamification, or the use of serious games, which is based on learning through experience, with the employee this time being an actor in their own right. Original, interactive, this format represents a notable investment, but has the advantage of particularly appealing to generation Y.

Finally, the creation of a visual identity is a plus! It will allow employees to quickly identify messages about cybersecurity, but also to get to grips with the concept and integrate it more easily into their daily lives.